Updated HIPAA rules now in effect

Failure to provide the required HIPAA notices or meet standards may result in investigations and possible civil or criminal penalties.

The federal privacy protection rule applies to health care providers, health plans, other covered entities and their business associates. Revisions, announced in March, require covered entities and their business associates to take the following steps:

Amend business associate agreements to reflect the new regulations; and

Retrain practice staff on the revised policies.

For the first time, the HIPAA privacy and security rules will apply not only to health care practitioners and their business associates but to any subcontractors who provide services to those business associates.

The AOA is providing resources to help you with every step.

What the new rule covers

The new rule prohibits the sale of federally protected patient health information (PHI). It also prohibits the use of that information for marketing purposes without authorization from the patient. In addition, a patient now may request a practice to withhold disclosure of PHI related to a particular service to a health plan if the patient has paid for the services out-of-pocket.

Federal law requires practitioners to provide all patients with notices of the measures taken to protect patient information. This is not optional: Failure to provide the required HIPAA notices or meet standards may result in investigations and possible civil or criminal penalties.